Remotely Controlling Automobiles Via Insecure Dongles

Automobiles are getting smarter and smarter. Nowadays many vehicles run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled. We’re not just talking about the window or seat adjustment controls, but also the instrument cluster, steering, brakes, and accelerator. These systems can make the driving experience better, but they also introduce an interesting avenue of attack. If the entire car is controlled by a computer, then what if an attacker were to gain control of that computer? You may think that’s nothing to worry about, because an attacker would have no way to remotely access your vehicle’s computer system. It turns out this isn’t so hard after all. Two recent research projects have shown that some ODBII dongles are very susceptible to attack.

The first was an attack on a device called Zubie. Zubie is a dongle that you can purchase to plug into your vehicle’s ODBII diagnostic port. The device can monitor sensor data from your vehicle and them perform logging and reporting back to your smart phone. It also includes a built-in GPRS modem to connect back to the Zubie cloud. One of the first things the Argus Security research team noticed when dissecting the Zubie was that it included what appeared to be a diagnostic port inside the ODBII connector.

Online documentation showed the researchers that this was a +2.8V UART serial port. They were able to communicate over this port with a computer with minimal effort. Once connected, they were presented with an AT command interface with no authentication. Next, the team decompiled all of the Python pyo files to get the original scripts. After reading through these, they were able to reverse engineer the communication protocols used for communication between the Zubie and the cloud. One particularly interesting finding was that the device was open for firmware updates every time it checked in with the cloud.

The team then setup a rogue cellular tower to perform a man in the middle attack against the Zubie. This allowed them to control the DNS address associated with the Zubie cloud. The Zubie then connected to the team’s own server and downloaded a fake update crafted by the research team. This acted as a trojan horse, which allowed the team to control various aspects of the vehicle remotely via the cellular connection. Functions included tracking the vehicle’s location, unlocking hte doors, and manipulating the instrument cluster. All of this can be done from anywhere in the world as long as the vehicle has a cellular signal.

A separate but similar project was also recently discussed by [Corey Thuen] at the S4x15 security conference. He didn’t attack the Zubie, but it was a similar device. If you are a Progressive insurance customer, you may know that the company offers a device that monitors your driving habits via the ODBII port called SnapShot. In exchange for you providing this data, the company may offer you lower rates. This device also has a cellular modem to upload data back to Progressive.

After some research, [Thuen] found that there were multiple security flaws in Progressive’s tracker. For one, the firmware is neither signed nor validated. On top of that, the system does not authenticate to the cellular network, or even encrypt its Internet traffic. This leaves the system wide open for a man in the middle attack. In fact, [Thuen] mentions that the system can be hacked by using a rogue cellular radio tower, just like the researchers did with the Zubie. [Thuen] didn’t take his research this far, but he likely doesn’t have too in order to prove his point.

The first research team provided their findings to Zubie who have supposedly fixed some of the issues. Progressive has made a statement that they hadn’t heard anything from [Thuen], but they would be happy to listen to his findings. There are far more devices on the market that perform these same functions. These are just two examples that have very similar security flaws. With that in mind, it’s very likely that others have similar issues as well. Hopefully with findings like this made public, these companies will start to take security more seriously before it turns into a big problem.

[Thanks Ellery]

Hackaday Links: October 27, 2013

hackaday-links-chain

[Kyle] came across a project which he thinks is “simply elegant”. If you don’t already have a PCB vice, here’s an easy way to build one of your own.

This one’s so good but alas it’s not a hack. Check out the slideshow tour at UC Boulder’s Fiske Planetarium. You get a really cool look at the hardware that makes the dome and projector such a great experience. [via Reddit]

Here’s a schematic and a couple of snapshots of [Trax’s] CAN bus hacking rig. He plans on doing a tutorial but decided to share this link after reading the first part of our own CAN hacking series.

These strings of LEDs bump to the tunes. [Alex] is using GrooveShark as a frequency analyzer, then pushing commands via Node.js to the Arduino controlling the lights. It’s all planned for the back porch during his Halloween party.

We remember drilling holes in the 3.5″ floppy discs (we even made a wood jig for this) to double their capacity. A similar blast from the past was to punch a notch in the larger 5.25″ versions to make them double-sided.

If you’re trying to learn about FFT [Ronald] highly recommends this website. We didn’t do too much poking around because it’s kind of strange. But if you do get sucked in and have fun with it leave a comment to let others know it’s worth their attention.

We suppose that using 39 Raspberry Pi boards and their camera modules isn’t the worst way to build a huge 3D model capture rig. The results certainly are impressive. [Thanks Wouter]

Radar detector integrated with dashboard display screens and steering wheel controls

CAN Bus hacking is all the rage right now. This particular project uses an early development version of an Arduino compatible CAN bus tool to integrate radar detector control into a Mazda dashboard. This image shows the output as the Whistler Pro-3600 radar detector boots up. The self test demonstrates what you would see on the dashboard display if your speed is checked using any of a handful of technologies. But it’s not just the dash display that’s working. The steering wheel controls are also capable of affecting the radar detector so that it can always be hidden from sight.

With auto manufacturers adding more numerous and larger displays to our vehicles it’s refreshing to see someone come up with a hack that makes pushing our own info to those screens possible. The CANBus Triple is an Arduino compatible board which patches into the data bus found in all modern vehicles. To integrate the Whistler for this hack [TheDukeZip] prototyped the interface on a regular Arduino board, then moved it over to the CANBus Triple once he had it working. Check out the video after the break to see the setup in action.

Continue reading “Radar detector integrated with dashboard display screens and steering wheel controls”

Driving the car without going anywhere

This video game controller is a factory fresh VW. Much like the racing simulator from earlier in the week, the video game data is being displayed on the instrument panel. This takes us to a much higher level now because control for the game is taken from the car’s CANbus using and ODB-II connector. If you don’t speak in automotive jargon, that means that the sensor readings from the steering wheel, shifter, and pedals are being picked up and exported as joystick commands to the PC running the driving game. The only place the experience uses a substitute for the real thing is the sound, which is being played through speakers instead of emanating from under the hood. Looks like you just need to add a projector and screen to your garage in order to turn it into the hottest new gaming device.